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METHOD AND SYSTEM FOR TRACKING COMPUTER 
SYSTEM USAGE THROUGH A REMOTE ACCESS 
SECURITY DEVICE 



RELATED APPLICATIONS 

[0001] This application is a continuation of US Application Serial No. 
09/008,344, filed January 16, 1998, pending, the entirety of which is 
incorporated herein by reference. 

BACKGROUND OF THE INVENTION 



yj [0002] The present invention relates to a system and method for monitoring 

~ r ' access to each of a plurality of unrelated host computer networks. More 

I s * particularly, the present invention relates to a system and method of tracking 

ry 

computer usage, and costs associated with the computer usage, by authorized 
q users of different computer networks. 

^ [0003] Many organizations, both in government and in private industry, 

rely on access to centralized computer facilities. Use of remote access 
capabilities to centralized computer facilities is generally desirable in order to 
facilitate use of computer resources and improve productivity. Remotely 
located individuals who are, for example, traveling on business, often need to 
access their organization's computer. A concern of many organizations is 
monitoring the costs of remote users accessing the host computer or computer 
network of the company, in addition to tracking the usage of computer time 
and various costs associated with that time. 

[0004] Typically, each organization's computer facility tracks computer 
usage internally and generates various reports based on that information. Also, 
the costs associated with remotely dialing up an organization's computer 
facilities, such as the telephone line charges, are reported separately by each of 
the one or more long distance line carriers utilized by the remotely located 



computer users. Additional costs of maintaining a remotely accessible 
computer network, such as supporting an information services person or 
department to handle difficulties with remote access by authorized users, may 
take up significant resources particularly in smaller organizations. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0005] FIG. 1 illustrates a preferred embodiment of a system for monitoring 
computer usage and costs associated with remote access according to the 
present invention. 

[0006] FIG. 2 is a flow chart showing a preferred method of monitoring 
computer usage and costs using the system of FIG. 1. 

DETAILED DESCRIPTION OF THE 
PRESENTLY PREFERRED EMBODIMENTS 

[0007] An advantage of the present invention is consolidation of usage and 
billing information in a single report. Another advantage of the present 
invention is the ability to manipulate the usage and billing data for each of a 
number of different host computer networks by individual user and by 
predetermined groups or departments of users at each organization. The 
preferred method and system cooperate with a system for securing access 
between remotely located computer users and the computers of different 
organizations for which they are permitted access. 

[0008] FIG. 1 illustrates a preferred system 10 for securing access between 
remotely located computer users and computers of different organizations in 
addition to monitoring access and maintaining billing records for each host 
computer system. The system 1 0 includes at least one remotely located user 
computer 12. A secure identification card 14 is associated with the user and 
the user computer 12. A user computer 12 preferably communicates over 
standard telephone lines, also known as plain old telephone service (POTS) 
lines 17, via modem 16 through the public switched telephone network (PSTN) 
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1 8. The system 10 of the present invention may use other commonly available 
communication devices, such as an ISDN terminal adapter or a 
communications server, in place of the analog modem. The user computer may 
be a personal computer or another computer network. One suitable secure ID 
card is available from Security Dynamics, Inc. of Cambridge, Massachusetts 
and includes a display showing a time variant pass code for use by an 
authorized user in accessing a host computer network. 

[0009] A communications server 20, which may be a router such as a Cisco 
p 5200, is in communication with a security service bureau 22 over a frame relay 

~j network 1 8. The security service bureau 22 may be a local area network 

*p (LAN) 26 that includes at least one administrative workstation 28 for 

yj monitoring operation of the security service bureau 22. A suitable 

administrative workstation 28 may be any of a number of commonly available 
jr; personal computers. A network access server (NAS) 30 is also connected to 

ry 

the LAN 26. The LAN 26 of the service bureau 22 connects to the frame relay 
p network 24 via a firewall 32. The firewall may be a personal computer, such 

as those available from SUN Microsystems, running software available from 
SOLARIS to provide protection to the service bureau LAN 26 from outside 
corruption. The NAS 30 may be any of a number of servers available from 
Hewlett Packard, such as the HP712, HP755, or the HP720. The NAS 30 of 
the service bureau 22 controls access of remote users, through the 
communication server 20 and frame relay network 24, to the multiple host 
computer networks 34 or stand alone computers. In the example of FIG. 1, 
each of the host computer networks or stand alone computers utilize the service 
bureau to authenticate remote users at various computers 12. One system and 
method for authenticating users through a service bureau is disclosed in a 
commonly assigned U.S. application serial no. 09/008,527, filed January 16, 
1998, and is hereby incorporated by reference in its entirety. 
[0010] The system 10 also includes an integrated service center (ISC) 35 
and an enterprise service system (ESS) 37. The ISC 35 preferably includes a 



computer configured to accept all service requests from various end user host 
computer networks desiring to add or remove computer use monitoring 
services or change the list of authorized users for the network. Additionally, 
the ISC 35 receives telephone calls from end users 12 seeking help relating to 
remote access services. The ISC 35 assigns help requests to the appropriate 
party in the system 10. In one embodiment, the ISC 35 is a vertically 
integrated service center and help desk for video, audio, and data 
communications. 

[0011] The ESS 37 is a master database containing lists of periodic user 
charges, also known as "per seat" charges, for the various host computer 
systems serviced by the system 10. The ESS 37 also contains a list of field 
service fees associated with a respective host computer network 34 and records 
any extra services used by a host computer network 34 and its authorized users. 
The fees for each particular host computer network are negotiated prior to 
beginning services to a particular host computer network and associated 
authorized users. The negotiated fees may be stored as tables in the ESS. The 
ESS 37 may be a server running UNIX software such as a SPARC Server 
available from SUN Microsystems. The ESS receives updates on authorized 
users and subscribing host computer networks from the ISC. 
[0012] A network management center (NMC) 39 is in communication with 
the ISC 35 and a private corporate intranet 19 via the ESS 37. The NMC 39 
receives help requests from the ISC and provides a help desk for network 
infrastructure problems, performance issues and chronic desktop problems. 
The NMC 39 uses a pre-entered user definition and information to create a 
trouble record for resolving issues associated with remote access services 
provided to the host computer networks 34. Each trouble call is stored at the 
NMC 39. The NMC serves to provide proactive surveillance of all physical 
lines and communications servers in the system as well as handling trouble 
calls passed on from the ISC. 
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[0013] A customer service center (CSC) 40 is also linked to the system 10 
via the ESS and the private corporate intranet 19. The CSC 40 manages the 
ordering of POTS services and repairs of business lines (e.g. DS1, ISDN, etc.). 
A billing application communicates over the corporate intranet 19, via the ESS 
37, with the NAS 30 and other system 10 components to obtain necessary 
billing information concerning host computer networks 34 and their respective 
users. Preferably, the billing application is a software application running 
within the ESS containing logic necessary to organize cost data by per user and 
per entity within a particular client's (host computers) organization. 
□ Alternatively, the billing application may be a discrete billing computer 42 

a 

nj executing the necessary logic to obtain and manipulate billing information. 

■J— W 

[0014] Utilizing the system 10 described above, a preferred method of 
^ monitoring access to each of the host computer networks subscribing to the 

5 

g system security services is illustrated in FIG. 2. Each computer network 34 

ry provides an associated list of authorized users that is maintained at the ISC, 

* m ESS, and NAS 30 (at step 50). An authorized user accessing a host computer 

D exchanges the information with the NAS 30, via the communication server, 

each time the user dials in to gain access to his respective host computer 
network 34. A starting time stamp is created at the beginning of each remote 
access call received from a user at the communication server 20 (at step 52). In 
a preferred embodiment, the remote user accesses his respective host computer 
network by dialing in through the PSTN 18 using a modem 16 or other 
communication device to reach a network communications server 20. The 
communication server 20 forwards information on the call through the frame 
relay network 24 to the service bureau 22. At the service bureau 22, the NAS 
30 authenticates the user through the exchange of a user name and a pass code. 
[0015] The pass code preferably consists of a fixed personal identification 
number and a time variable security token. The security token may be a soft 
token, such as a software application on each authorized user's computer, or a 
hard token, such as a secure ID card 14 available from Security Dynamics, Inc. 



Each authorized user preferably has her own security token and the security 
token may be a sequence of numbers, letters, or other type of symbol. Using 
the secure ID card 14, the security token is obtained by the user from a display 
that generates a new security token at predetermined time increments. The 
NAS 30, containing an identical security token generating algorithm 
synchronized with the secure ID card 14 generates the same security token to 
verify that the user is an authorized user. On authentication, the 
communication server 20 connects the user computer 12 to the appropriate host 
computer 34 for the duration of the call. The NAS 30 receives an ending time 
stamp from the communication server 20 at the conclusion of the remote access 
call when the user hangs up or otherwise disconnects from the host computer 
network 34 (at step 54). Following the conclusion of the remote access call, 
the service bureau stores the starting and ending time stamps in the NAS 
memory. Preferably the starting and ending time stamps are associated in the 
user log with the list of authorized users so that the user log contains a record 
of computer time usage for each authorized user (at step 56). 
[0016] After the end of the predetermined billing period, the user log is 
transmitted from the service bureau in a discrete file generated at the NAS to 
the billing computer 42 (at step 58). The billing period may be any desired 
length of time, such as a month or a year. The list of host computer networks 
and associated list of authorized users for a host computer network is also 
transmitted to the billing computer (at step 60) from the NAS over the frame 
relay network. The billing computer then generates a billing summary for each 
of the subscribing customer host computer networks (at step 62). 
[0017] As part of the process of developing a periodic bill for customers 
subscribing to the system, a long distance carrier invoice is electronically 
transmitted to the billing computer from a long distance telephone service 
provider. The long distance service provider may be any one of a number of 
available service providers, such as Ameritech, selected by the host computer 
network. The long distance telephone service provider transmits a minutes of 
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use invoice for the long distance access number used by authorized users of a 
given host computer network to access the security service bureau. The long 
distance access number may be an "800" number or other telephone number 
dedicated for use by authorized users to communicate with the appropriate host 
computer through the system 10. 

[0018] Because each authorized user of a given host computer network is 
provided with the same telephone number, the billing computer can use the 
unique pass code each user possesses to distribute the minutes of use charge to 
the appropriate. Preferably, the long distance charges are distributed 
appropriately among the users of each host computer network based on a user's 
percentage of computer access time for that billing period. The ESS 39 
provides fixed expense information to the billing computer 42 by way of 
monthly per seat charges and incident charges. Incident charges refer to the 
fees assessed to calls by authorized users to the system help desk at the CSC. 
[0019] Using all the information gathered, the billing computer based on 
the subscribed for services and the usage of each individual authorized user, 
various usage information and billing forms will be created. For example, in 
one preferred embodiment a bill may be generated that breaks up authorized 
users into the various departments to which they are assigned within a 
customer's organization. For each authorized user in the department a 
predetermined group of information may be displayed. This information may 
include per seat charges, the cost of long distance telephone usage (distributed 
among authorized users based on the amount of time a user was 
communicating with the host computer network), any equipment charges, 
maintenance charges, and miscellaneous charges. The per seat charges refer to 
fixed service charges associated with supporting each authorized user. The 
miscellaneous costs may include incidental security cost such as replacing 
secure ID cards, or for particular pieces of software necessary for enabling 
remote users to access their host network through the security service 
bureau 22. Optionally included in the per seat charges are the local exchange 
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and other incidental charges. Once the billing summary has been generated, 
the billing computer can transmit the billing summary directly to the 
appropriate host computer network. The transmission may be done via e-mail 
over an internet connection, via facsimile, or through other means. 
[0020] Another aspect of the presently preferred invention is that computer 
usage information may be provided to the customer and the service provider 
maintaining the security service bureau 22 so that computer resources may be 
optimized for usage patterns. For example, the billing computer may generate 
monthly or annual reports dividing up the usage for each individual authorized 
user by total time used per a given period or by time of day or week so that 
host computer network 34 or service bureau 22 resources can be properly 
allocated for particularly heavy usage. 

[0021] From the above, a new system and method of monitoring access and 
fees for host computer networks with relocated users is provided. The method 
includes maintaining a list of host computer networks and associated list of 
authorized users for each network, creating a starting and ending time stamp 
for remote access calls, transmitting the starting and ending time stamps in the 
user log to a billing computer in addition to other billing information, and 
generating a billing summary of costs and usage at the billing computer. The 
system preferably includes a security service bureau providing secure remote 
access between remotely located authorized users and their respective 
proprietary host networks. In one preferred embodiment, the NAS preferably 
records time stamps and a user log indicating usage of resources by individual 
authorized users. A billing computer is also included in the system having the 
logic necessary to compile information from the user log in the security service 
bureau and cost information received from outside sources to generate a 
periodic bill indicating cost per individual user and/or department. 
[0022] It is intended that the foregoing detailed description be regarded as 
illustrative rather than limiting, and that it be understood that the following 
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claims, including all equivalents, are intended to define the scope of this 
invention. 
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